b'AUDIT OF INFORMATION SECURITY\n           PROGRAM\n     Department of Transportation\n\n     Report Number: FI\xe2\x80\x932009\xe2\x80\x93003\n     Date Issued: October 8, 2008\n\x0c           U.S. Department of\n                                                  Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                     Date:    October 8, 2008\n           Program, Department of Transportation,\n           Report Number: FI-2009-003\n\n  From:    Calvin L. Scovel III                                   Reply to\n                                                                  Attn. of:   JA\xe2\x80\x9320\n           Inspector General\n\n    To:    Chief Information Officer\n\n           This report presents the results of our annual audit of the Department of\n           Transportation\xe2\x80\x99s (DOT) information security program and practices, as required\n           by the Federal Information Security Management Act of 2002 (FISMA). FISMA\n           further requires that our evaluation include testing of a representative subset of\n           systems and an assessment, based on our testing, of the Department\xe2\x80\x99s compliance\n           with FISMA and applicable requirements. On July 14, 2008, the Office of\n           Management and Budget (OMB) issued M-08-21, Reporting Instructions for the\n           Federal Information Security Management Act and Agency Privacy Management,\n           which provides instructions for inspectors general to use in completing this year\xe2\x80\x99s\n           FISMA evaluation, including the OMB template.\n\n           Consistent with FISMA and OMB requirements, our audit objective was to\n           determine the effectiveness of DOT\xe2\x80\x99s information security program and practices.\n           Specifically, we assessed the status of DOT\xe2\x80\x99s (1) implementation of minimum\n           security standards, including progress in addressing issues identified previously in\n           risk categorization and managing corrective actions; (2) configuration\n           management, including deployment of baseline configurations and addressing\n           telecommuting issues; (3) incident-handling and reporting; and (4) renewed\n           initiatives in addressing Air Traffic Control system security weaknesses, including\n           business continuity planning and testing of operational systems security outside of\n           the computer laboratory.\n\n           As instructed, we tested a representative subset of the Department\xe2\x80\x99s systems, and\n           included the results in OMB\xe2\x80\x99s required template (see Exhibit A and Table 7 in\n           Exhibit B). Our testing included interviews with key information security\n           personnel, reviews of technical documentation, and analysis of the Department\xe2\x80\x99s\n           reported information security statistics. We conducted our audit in accordance\n           with generally accepted government auditing standards. Those standards require\n\x0c                                                                                  2\n\n\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives. Details of our scope\nand methodology are described in Exhibit B.\n\n\nINTRODUCTION\n\nFISMA requires Federal agencies to identify and provide security protection\ncommensurate with the risk and magnitude of harm resulting from the loss of,\nmisuse of, unauthorized access to, disclosure of, disruption to, or modification of\ninformation collected or maintained by or on behalf of an agency. FISMA and its\npredecessor, the Government Information Security Reform Act (GISRA), required\nthe inspectors general to evaluate agencies\xe2\x80\x99 information security programs and\npractices.\n\nThe Department has 13 Operating Administrations that, for Fiscal Year (FY)\n2008, reported a total of 425 information systems, of which 62 percent belong to\nthe Federal Aviation Administration (FAA). Among the systems the Department\nmaintains and operates is the air traffic control system, which the President has\ndesignated as part of the critical national infrastructure. Other systems owned by\nthe Department include safety-sensitive surface transportation systems and\nfinancial systems that are used to manage and disburse over $50 billion in Federal\nfunds each year. In FY 2008, the departmental IT budget totaled about $2.8\nbillion. Systems inventory counts for FY 2007 and FY 2008 for each Operating\nAdministration are detailed in Exhibit C.\n\n\nRESULTS IN BRIEF\nThe Department\xe2\x80\x99s information security program and practices are not effective.\nAs a result, the Department is not in compliance with FISMA and OMB\nrequirements for security information systems and providing privacy protection of\npersonally identifiable information (PII). Last year we reported that the overall\neffectiveness of DOT\xe2\x80\x99s information security program declined because\nmanagement had to divert resources and attention to resolving Headquarters\nmove-related issues. 1 While we observed some operational improvements, we\nnonetheless continued to see a decline in the Department\xe2\x80\x99s program and practices.\n(See the comparison between these 2 years in Exhibit D). As noted in Exhibit E,\nour prior year\xe2\x80\x99s information security-related recommendations have not been fully\nimplemented.\n\n\n1\n    DOT Information Security Program, OIG Report FI-2008-001, October 10, 2007.\n\x0c                                                                               3\n\n\nDeveloping a robust information security program, including implementation of\nour current and prior years\xe2\x80\x99 recommendations, requires (1) the Chief Information\nOfficer (CIO) Office to effectively oversee Operating Administrations\xe2\x80\x99\nimplementation of departmental policies/guidance, and (2) stability in the Office\nof the Chief Information Security Officer (CISO). However, when compared with\nsome of his counterparts in other Federal agencies and other appointed officials\nwithin the Department, the DOT CIO has limited influence on Operating\nAdministrations. Unless there are management or budgeting consequences,\nOperating Administrations are likely to continue the practice of not effectively\nimplementing departmental policies/guidance. We are making a recommendation\nto increase Operating Administrations\xe2\x80\x99 accountability. During FY 2008, the\nDepartment\xe2\x80\x99s performance was also hindered by significant turnover in the Office\nof the CISO.\n\nFor FY 2008, we found:\n\n    1. The Department has not established adequate policies or procedures to\n       implement and maintain an effective Departmentwide information security\n       program or to address key OMB privacy requirements. Specifically, the\n       Department has a backlog of information-security policy awaiting\n       publication and has not addressed key privacy requirements. For example,\n       OMB mandated that\xe2\x80\x94by September 22, 2007\xe2\x80\x94agencies develop and\n       implement a \xe2\x80\x9cbreach-notification policy\xe2\x80\x9d and a plan to reduce the use of\n       Social Security numbers. This has not happened at DOT. Without this\n       policy, the Department cannot effectively direct or ensure that citizens\n       whose private information is compromised are properly notified. We also\n       found that the Department has not established a FISMA data collection\n       cut-off date, as requested by OMB. Without a cut-off date, the\n       Department does not have sufficient time to perform meaningful internal\n       review or assess the results submitted to it by the Operating\n       Administrations.\n\n    2. The Department was not adequately protecting its computer networks.\n       Specifically, it was not effectively managing the configuration of the\n       commercial software installed on departmental computers. Further, it has\n       not fully developed sufficient security incident-monitoring and -reporting\n       capabilities to protect the networks from intrusion. To reduce system\n       vulnerabilities, both OMB and the Department require that commercial\n       software, such as the Windows operating system and Oracle database\n       system, be installed in accordance with specific Government security\n       configuration standards. We have reported a lack of progress in this\n       critical area since FY 2006. Last year, the Department reported that less\n       than 50 percent of departmental computers were in compliance with\n       configuration standards. This year, however, the Department was not able\n\x0c                                                                            4\n\n\n   to track Operating Administration compliance rates. Meanwhile, our\n   testing continued to find computers without proper configuration, resulting\n   in unnecessary vulnerabilities to departmental networks.\n\n    During FY 2008, the Department established a consolidated Cyber\n    Security Management Center (CSMC) and a common framework for\n    Departmentwide incident-monitoring and -reporting. This not only\n    improved visibility of Headquarters networks for security monitoring, but\n    also better positioned the Department to combat increasing cyber security\n    threats. However, DOT\xe2\x80\x99s ability to respond to computer security\n    incidents remained hindered by insufficient intrusion-detection of field\n    networks and late reporting of incidents involving the potential\n    compromise of PII.\n\n3. The Department was not ensuring that all of its employees and contractors\n   receive the appropriate degree of computer-security training needed to\n   prevent them from contributing to security weaknesses and breaches. In\n   particular, the Department was unable to effectively track contractors who\n   needed security-awareness or other specialized security training. In\n   addition, the Department did not address collaborative Web technologies\n   in its security-awareness training, as required by OMB.\n\n4. The Department was not identifying all information-security weaknesses\n   or ensuring the timely resolution and prioritization of those that are\n   identified. The Department is required to track and manage information\n   security weaknesses in plans of actions and milestones (POA&M). We\n   continued to find information-security weaknesses that were identified but\n   not included in POA&Ms. Of the weaknesses that were identified and\n   tracked in the Department\xe2\x80\x99s POA&M system, many of the high and\n   moderate weaknesses were not remediated in a timely manner, resulting in\n   unnecessary vulnerabilities in the Department\xe2\x80\x99s systems. For example, we\n   found that remediation of unencrypted laptops containing PII was past due\n   for more than a year. We also found many for which the priority level had\n   not been assigned, and the cost of completing the remedial actions had not\n   been estimated for more than half of the security weaknesses in the\n   POA&M database. Without cost estimates and adequate prioritization, the\n   Department cannot effectively and efficiently resolve information security\n   weaknesses.\n\n5. The Department was not sufficiently protecting its systems or ensuring\n   that they can be recovered when necessary. The Department has not\n   adequately identified all systems that provide services to citizens via the\n   Internet and therefore are subject to OMB e-authentication requirements,\n   and it is not validating that those requirements have been met for the\n\x0c                                                                                                                           5\n\n\n             e-authentication systems it has identified. E-authentication provides\n             assurance to each citizen that the Department is protecting private\n             information by ensuring that only the citizen can access the account. In\n             addition, we noted that 8 of 16 sampled systems did not have certifications\n             and accreditations (C&A) that complied with National Institute of\n             Standards and Technology (NIST) standards. Further, 20 of the Federal\n             Highway Administration\xe2\x80\x99s (FHWA) 26 systems had not been recertified\n             and were operating without accreditation, including two high-impact\n             systems whose certifications and accreditations expired in November\n             2007. Finally, the Department is not adequately testing all of its system\n             contingency plans and therefore cannot ensure that such plans will enable\n             the recovery of essential systems in the event of disruption.\n\nLast year, we reported that the Department needed to better secure network\nconnections to allow employees to telecommute without creating additional\nvulnerabilities when connecting unsecure home computers to Department\nnetworks. According to management, the Department is currently using\nspecialized software to check for basic security controls in employee home\ncomputers, such as firewalls and anti-virus software, before granting network\nconnections. While this does mitigate some of the risks, these security checks are\nnot sufficient because they do not determine whether employee home computers\ncontain any malicious software that could compromise the Department\xe2\x80\x99s networks\nor systems. Consistent with our prior year\xe2\x80\x99s recommendation, we encourage\ndepartmental officials to continue exploring alternatives to support telecommuting\ninitiatives while protecting departmental networks. Because these issues were\npreviously reported, we are not including additional details in this report. 2\n\nDuring FY 2008, as part of its renewed initiatives in addressing air traffic control\nsystems security\xe2\x80\x94part of the Nation\xe2\x80\x99s critical infrastructure\xe2\x80\x94FAA made progress\nin implementing a business continuity plan for air traffic control en route centers. 3\nHowever, its ability to handle long-term service disruptions remains unknown\nbecause of unresolved operational issues. FAA has also expanded security\nevaluations of air traffic control systems outside of the computer laboratory. Yet\nFAA\xe2\x80\x99s methodology for evaluating systems security, including risk categorization,\nis not adequate to ensure that operational systems are properly protected. These\nconcerns will be the subject of a separate report. Consequently, details related to\nthese issues are not included in this report.\n\nWe are making a series of recommendations, beginning on page 19, to help the\nDepartment improve its information security and privacy programs. A draft of\n\n2\n    We reported our concerns with allowing telecommuting employees to connect with the Department\xe2\x80\x99s networks using\n    home computers on page 17 of DOT Information Security Program, OIG Report FI-2008-001, October 10, 2007.\n3\n    En route centers are responsible for directing high-altitude traffic and disseminating flight information to all other air\n    traffic control facilities.\n\x0c                                                                                    6\n\n\nthis report was provided to the Department\xe2\x80\x99s CIO on September 30, 2008. On\nOctober 7, 2008, we received the CIO\xe2\x80\x99s response, which can be found in its\nentirety in the Appendix.         The CIO concurred with our findings and\nrecommendations and in 30 days will provide written comments describing the\nactions and milestones that will be taken to implement the recommendations.\n\n\nFINDINGS\n\nPolicies and Procedures Were Inadequate To Ensure Information\nSecurity and Privacy\n\nThe Department had not developed adequate policies or procedures to establish\nand maintain an effective Departmentwide information security program or to\naddress key OMB privacy requirements.                 We believe the absence of\ncomprehensive policies and procedures is contributing to the continuing decline in\nthe effectiveness of the Department\xe2\x80\x99s information security program and practices.\nFurther, the Department\xe2\x80\x99s lack of a cut-off date for its FISMA reporting has\ninhibited its ability to oversee its information security program.\n\nLarge Backlog of Information Security Policies Awaited Publication\n\nFISMA requires the Department to develop an information security program that\nincludes policies and procedures that are based on the risk assessments to cost-\neffectively reduce information security risks to an acceptable level and to ensure\nthat information security is addressed throughout the life cycle of each agency\ninformation system. The Department\'s CIO Office had a large backlog of draft\ninformation technology security policy in development. The Department\nidentified 52 topics that require IT security policy. To date, it has issued policy on\nonly 11 (21 percent). The other 41 topics remain unaddressed or have policy\nunder development or in draft form (see Table 1). A few examples of key\npolicies that are unaddressed or otherwise not final include policies that address\nconfiguration management, risk-level categorization, backup and contingency\nplanning, intrusion detection, access control, passwords, wireless networking,\nremote access, risk assessment, and security planning.\n\x0c                                                                                                   7\n\n\n            Table 1. Status of DOT Information Security Policies\n\n                                  Policy Status             Number\n                                  Final                         11\n                                  Draft                         14\n                                  Under\n                                  Development                     19\n                                  Unaddressed                      8\n                                    Total                         52\n                                   Source: OIG analysis\n\nWithout adequate and comprehensive information technology security policies,\nthe Department cannot establish or maintain an effective information security\nprogram, which includes (1) providing direction to the Operating Administrations,\nits employees, or its contractors on information security; (2) enforcing compliance\nwith key information security requirements; and (3) ensuring that security risks are\nreduced in a cost-effective and consistent manner. We further believe that the\nabsence of key policies is contributing to the Department\xe2\x80\x99s weaknesses in securing\nits networks, protecting its systems, providing security training, and resolving\nother information technology issues. These matters are further described below.\n\nKey Privacy Requirements Have Not Been Addressed\n\nOMB M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, required agencies to (1) develop and\nimplement a "breach notification policy" by September 22, 2007; (2) review\ncurrent holdings of all personally identifiable information and ensure, to the\nmaximum extent practicable, that such holdings are accurate, relevant, timely, and\ncomplete, and reduce them to the minimum necessary for the proper performance\nof a documented agency function; (3) develop a plan by September 22, 2007, to\nreduce the use of Social Security numbers by November 22, 2009; and (4)\nimplement a \xe2\x80\x9crules and consequences policy\xe2\x80\x9d outlining the rules of behavior and\nidentifying consequences and corrective actions available for failure to follow\nthese rules.\n\nThe breach notification policy is still in draft form and, according to the DOT\nPrivacy Officer, is still undergoing revision. This policy is now over a year\noverdue. In addition, the Department has still not developed a \xe2\x80\x9crules and\nconsequences\xe2\x80\x9d policy. According to our most recent privacy report, 4 the agency\nhas not completed its reviews to determine if all systems containing PII have been\n\n\n4\n    Review of DOT Privacy Policies and Procedures, OIG Report Number FI-2008-077, September 9, 2008.\n\x0c                                                                               8\n\n\nidentified. Specifically, the Privacy Office could not provide assurance that 320\nsystems do not contain PII.\n\nThe Department\xe2\x80\x99s plan to reduce Social Security numbers likewise remains in\ndraft form and is also over a year late. This plan, which is part of the\nDepartment\xe2\x80\x99s M-07-16 DRAFT Action Plan, is extremely high level and is\nmissing goals, specific tasks, interim milestones, and assignment of\nresponsibilities. In addition, the plan has not been implemented and it is\nincreasingly unlikely that the Department will meet OMB\xe2\x80\x99s November 22, 2009,\ndeadline for completing the reduction of the use of Social Security numbers. The\nfollowing table encompasses the Department\xe2\x80\x99s entire draft plan to eliminate\nunnecessary use of Social Security numbers:\n\n         Table 2. DOT Draft Plan to Eliminate Unnecessary\n                  Use of Social Security Numbers\n\n                         Tasks                            Actions\n           Review and eliminate unnecessary      x   Arrange meeting\n           use of SSNs                               with HR,\n                                                     Security, OGC\n                                                     (Stand-up SSN\n           Develop plan, within 18 months, to        Elimination Task\n           eliminate unnecessary collection          Force).\n           and use of SSNs                       x   Initial review\n                                                     performed for\n                                                     OMB in Dec 2006.\n           Explore alternatives to use of SSNs   x   Draft/send email to\n           as a personal identifier                  OA Privacy\n                                                     Officers about\n                                                     need to update\n                                                     this review and\n                                                     ask for their plans\n                                                     to do so.\n                                                 x   Collect and\n                                                     analyze responses\n                                                     from the PII\n                                                     System Owner\n                                                     Survey.\n                                                 x   Draft DOT wide\n                                                     plan for\n                                                     submission to\n                                                     OMB.\n                                                 x   Participate in\n                                                     Governmentwide\n                                                     efforts to explore\n                                                     alternatives.\n\n\n             Source: DOT\n\x0c                                                                                   9\n\n\nWithout implementing these key privacy requirements, the Department cannot\n(1) ensure that all PII is properly identified and protected, (2) minimize the risk\nthat Social Security numbers will be exposed to parties who do not have a\nlegitimate need to know or possess them, (3) ensure that affected citizens are\nadequately notified in a timely manner when affected by breaches of personally\nidentifiable or other sensitive information, or (4) implement consequences for\nemployees who willfully or otherwise break privacy rules. Consequently, the\nDepartment may unwillingly contribute to problems with identity theft, law\nenforcement, or even national security.\n\nFISMA Data-Collection Cut-Off Date Has Not Been Established\n\nIn M-08-21, Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, OMB requests that agencies\nset an internal cut-off date for FISMA data collection and report preparation. This\ncut-off date should permit adequate time for meaningful internal review and\ncomment and resolution of any disputes before finalizing the agency\xe2\x80\x99s report to\nOMB. We found, however, that DOT\xe2\x80\x99s Office of the CIO (OCIO) has not set a\nDepartmentwide FISMA cut-off date. Instead, the OCIO allows updates to the\ninformation to occur right up to the FISMA deadline. (Note: OIG used a cut-off\ndate of August 31, 2008, to allow for the timely completion of its audit on DOT\'s\ninformation security program and practices.)\n\nWithout an adequate internal Departmentwide cut-off date, the Department does\nnot have sufficient time to perform meaningful internal review or assess the results\nsubmitted to it by the Operating Administrations. Because OIG uses a cut-off date\nand the Department does not, there will be timing differences between OIG\'s and\nthe OCIO\'s respective FISMA reports. In addition, some information may not be\nprovided to OIG in a timely manner for inclusion in its report. Further, this results\nin limited time for the Department and OIG to resolve disputes or differences in\ntheir respective reports, and for the Department to develop a timely corrective\naction plan that OIG can review prior to issuing its FISMA audit report.\n\n\nDOT Networks Were Not Adequately Protected From Intrusion\n\nLast year we reported that deficiencies were evident in network computers\xe2\x80\x99\nconfigurations, and that reporting of security incidents was incomplete and\ninaccurate. For FY 2008, the Department did not effectively manage baseline\nsystem configurations or track compliance with configuration standards, did not\nsufficiently deploy Federal Desktop Core Configuration (FDCC) requirements,\nand deployed software that was not properly configured. In addition, the\nDepartment\xe2\x80\x99s capability to respond to computer security incidents is hindered due\n\x0c                                                                                10\n\n\nto the low visibility of field networks and untimely reporting of certain incidents\npertaining to PII.\n\nBaseline Configuration Standards Have Not Been Fully Implemented\n\nTo reduce the risk of hostile attacks based on known vulnerabilities in commercial\noff-the-shelf software, such as the Windows Operating and Oracle Database\nsystems, agencies are required to configure such commercial software in\naccordance with NIST or agency security standards. Last year, DOT centrally\ntracked Operating Administrations\xe2\x80\x99 implementation of departmental baseline\nconfiguration standards, which enabled DOT to report that 29 percent of\nits systems conformed to these standards. However, this year DOT had no such\ntracking     capability,   and      was    not    able   to    share      Operating\nAdministrations\xe2\x80\x99 compliance status with OIG. According to OCIO officials, DOT\nbegan the transition to the Cyber Security Assessment and Management tool\n(CSAM) as its authoritative FISMA reporting system during FY 2008. It also\nasked Operating Administrations to input their compliance status into CSAM.\nHowever, the required information was missing from CSAM. In addition, last\nyear we reported that DOT issued a draft policy on configuration management.\nThis policy was still marked as \xe2\x80\x9cunder development\xe2\x80\x9d in September 2008.\n\nOMB M-07-11, Implementation of Commonly Accepted Security Configurations\nfor Windows Operating Systems, required agencies that have deployed the\nWindows XP Operating System to adopt the security configurations developed by\nNIST. We randomly tested 33 Windows XP workstations located at DOT\nHeadquarters, including one within OIG, and found none to be in full compliance\nwith FDCC settings. The average compliance rate of these computers was less\nthan 70 percent. The OCIO could not provide us with any documentation or\njustification of the deviations from the mandated configuration settings.\n\nWithout Departmentwide policy, tracking capability of implementation status of\nbaseline configuration standards, and full deployment of FDCC security settings,\nthe Department has no assurance that its computer systems have been adequately\nconfigured to minimize vulnerability. Indeed, during our review of one DOT\nsystem, we found that computers supporting the system were vulnerable to\npotential cyber attack due to inadequate configuration. This could obviously\nthreaten DOT\xe2\x80\x99s business operations.\n\nCritical Networks Lacked Comprehensive Intrusion-Detection Coverage\n\nFISMA requires agencies to have procedures for detecting, reporting, and\nresponding to security incidents. Starting in FY 2008, two DOT incident-response\ncenters were merged into the CSMC. Currently, CSMC is responsible for\n\x0c                                                                                                                      11\n\n\nproviding intrusion-detection system (IDS) monitoring services 5 to all Operating\nAdministrations. This helps the Department address increasing cyber security\nthreats. CSMC has also improved monitoring coverage to DOT\xe2\x80\x99s Headquarters\noperations. However, it has limited IDS monitoring coverage for DOT\xe2\x80\x99s field\noperations. For example, other than the Volpe National Transportation Systems\nCenter and FAA\xe2\x80\x99s regional offices, none of DOT\xe2\x80\x99s field operations were subject to\nCSMC monitoring.\n\nAccording to the CSMC officials, effective IDS deployment to DOT\xe2\x80\x99s network\nrequires close cooperation between CSMC and the Operating Administrations.\nCurrently, this cooperation is lacking. In fact, DOT management has not fully\nmapped its network infrastructure, including the locations of critical network\npoints, resulting in deployment of IDS sensors on an ad-hoc basis, which has made\nCSMC monitoring of DOT networks less effective. Without effectively deploying\nIDS monitoring capability, DOT cannot be fully aware of potential cyber attacks\non its networks and, as a result, cannot take timely action to stop or further prevent\nthese attacks.\n\nPII Incidents Were Not Immediately Reported\n\nDOT policy, Reporting Cyber Security Incidents and Sensitive Personally\nIdentifiable Information (SPII) Exposures, requires all cyber security incidents and\nSPII exposures be reported to CSMC immediately upon discovery. In addition,\nOMB M-06-19, Reporting Incidents Involving Personally Identifiable Information\nand Incorporating the Cost for Security in Agency Information Technology\nInvestments, requires agencies to report all incidents involving PII to the United\nStates Computer Emergency Readiness Team (US-CERT) within 1 hour of\ndiscovery. However, the Operating Administrations have not followed the\ndepartmental policy to report PII incidents internally to CSMC in a timely manner,\nwhich, in turn, prevented the incidents from being reported to US-CERT within\nOMB\xe2\x80\x99s required time frame.\n\nWe reviewed 38 PII-related cyber security incidents reported to CSMC between\nOctober 1, 2007 and July 31, 2008. Of these, ten (26 percent) were delayed in\nreporting to CSMC from 1 to 12 days. Further, CSMC did not report four PII\nincidents to US-CERT\xe2\x80\x94including one that contained the dates of birth of 168\nindividuals. According to CSMC, dates of birth were not considered sensitive PII\nunder departmental policy. Consequently, CSMC did not report this incident to\nUS-CERT, which is in conflict with OMB\xe2\x80\x99s requirement to report all PII incidents\nwithin 1 hour.\n\n\n5\n    To effectively monitor and detect potential cyber security incidents on a network, sensors are installed at the various\n    critical network points. These sensors automatically generate security alerts when potential cyber attacks are\n    detected, and are usually monitored from a central location that responds to incidents, including intrusions.\n\x0c                                                                                                                     12\n\n\nResponse to Detected Incidents Was Slow\n\nNIST Special Publication 800-61, Computer Security Incident Handling Guide,\nstates that an incident-response capability is necessary for rapidly detecting\nincidents, minimizing loss and destruction, mitigating the weaknesses that were\nexploited, and restoring computing services. We found, however, that Operating\nAdministrations did not review and correct incidents referred by CSMC in a\ntimely manner. For example, as of June 30, 2008, there were 233 unresolved\nincidents that needed remediation, 77 of which (33 percent) had been open for\nmore than 3 months, including critical incidents like potentially unauthorized\naccess to DOT computers.\n\nWhy did this occur? Because DOT did not have specific guidance or procedures\nin place to direct security officials on how to effectively remediate identified\nincidents. In addition, the lack of needed information, such as critical logging data\nand complete IP address information, impeded DOT\'s effort to accurately pinpoint\nthe computers affected by incidents in order to take timely action.6 Without\ntimely and effective remediation of cyber incidents, the Department remains at\nrisk for similar network compromises.\n\n\nThe Department Was Not Ensuring Adequate Security Training\nof Its Employees and Contractors\n\nFISMA requires the Secretary to ensure that the Department has sufficiently\ntrained personnel to assist the agency in complying with FISMA and related\npolicies, procedures, standards, and guidelines. FISMA also states that the\nrequired agencywide information security program shall include security-\nawareness training to inform personnel, including contractors, of information-\nsecurity risks associated with their activities, and their responsibilities in\ncomplying with agency policies and procedures designed to reduce these risks.\nHowever, the Department had no mechanism with which to track contractors\nrequiring security-awareness training. Also lacking was a policy for the use of\ncollaborative Web technologies; 7 such technologies were likewise not included in\nDOT\xe2\x80\x99s security-awareness training, as is required by OMB.\n\nFISMA further requires that the Secretary delegate to the CIO the authority to\nensure compliance with the requirements imposed on the agency, including\ntraining personnel with significant responsibilities for information security. To\n\n6\n    An IP address is a unique numerical identification that is assigned to a computer on a network.\n7\n    Collaborative software is designed to help people involved in a common task achieve their goals and is the basis for\n    computer-supported cooperative work. Examples of collaborative software include electronic calendars used to\n    schedule events and automatically notify and remind group members about meetings; project management systems\n    used to schedule, track, and chart steps in a project as it is being completed; and online spreadsheets used to share\n    structured data and information.\n\x0c                                                                                13\n\n\ndate, the Department has been unable to provide us with any information on\nemployees or contractors with significant information-security responsibilities\nwho require or have taken specialized security training. Without such tracking\ncapabilities, the Department cannot ensure that employees and contractors are\nreceiving sufficient and appropriate security training.\n\nEmployees who are not properly trained about computer security may cause,\ncontribute to, or become victims of the following vulnerabilities or security\nbreaches: e-mail exploits, account or password sharing, inadequate safeguarding\nof passwords or computer resources, Internet misuse, corporate espionage, or\nsocial engineering. In addition, without including collaborative Web technologies\nin its security-awareness training, employees and contractors could misapply these\ntechnologies and enable access and review of sensitive DOT data and information\nby unauthorized personnel or entities. This could put sensitive or critical\ninformation at risk for unauthorized disclosure or use that could be detrimental to\nDOT and the general public.\n\n\nCorrection of Information Security Weaknesses Was Not\nAdequately Managed\n\nFor FY 2008, the Department did not improve its management of information\nsecurity weaknesses. DOT is required to track and manage information security\nweaknesses in POA&Ms; the Department uses CSAM to track its POA&Ms. For\neach weakness, these POA&Ms should identify a priority level, a cost estimate to\ncomplete the action, and a milestone date to indicate by when the action will be\nremediated. This information is critical if management is to prioritize, fund, and\nresolve information-security weaknesses in a timely manner. Last year, we\nreported that insufficient action had been taken to correct identified security\ndeficiencies. We specifically noted that 30 percent of corrections (901 out of\nabout 3000) were overdue for more than 6 months, and cost estimates to fix 60\npercent of the deficiencies were missing.\n\nWe found information security weaknesses that were identified but not\nincorporated in POA&Ms. Of those that were identified and tracked in the\nPOA&M system, there were many for which the priority level has not been\nassigned or the cost of completing the remedial actions has not been estimated. In\naddition, many of the high and moderate weaknesses were not remediated in a\ntimely manner.\n\n   x Weaknesses Not Recorded. OMB M-08-21 requires that POA&Ms include\n     all security weaknesses found during any review done by, for, or on behalf\n     of the agency, including Government Accountability Office audits,\n     financial system audits, and critical infrastructure vulnerability\n\x0c                                                                          14\n\n\n   assessments. In addition, the memorandum requires that these plans be the\n   authoritative agencywide management tool, inclusive of all evaluations.\n   However, in our review of the 16 sampled IT systems, we found that 8\n   (ARTS IIIA, ACE-IDS, OASIS, ADAS, CSAM, HMPIP, FHWA Network,\n   and TransStats) did not report all known IT security weaknesses in\n   POA&Ms.\n\nx Weaknesses Not Prioritized or Lacking Cost Estimates. OMB M-02-01,\n  Guidance for Preparing and Submitting Security Plans of Action and\n  Milestones, states that POA&Ms should detail resources required to\n  accomplish the elements of the plan and be used to prioritize corrective\n  actions. Of the 4,286 open information security weaknesses, 939 (22\n  percent) were not prioritized as high, moderate, or low; and 2,493 (58\n  percent) did not indicate the cost to resolve/remediate them (see Table 3).\n\n\n           Table 3. IT Security Weaknesses Lacking\n               Categorization and/or Cost Data\n\n                                     Weaknesses\n                                             Not\n                                     Categorized\n                            Total IT    as High,      Estimated\n                           Security Moderate, or       Cost Not\n         OA             Weaknesses          Low       Identified\n         FAA                  3,049           710         1,703\n         FHWA                   269             5           266\n         FMCSA                   28             2            25\n         FRA                    257           200             2\n         FTA                     17            15             1\n         MARAD                  337             5           191\n         NHTSA                    7             0             7\n         OIG                     15             0             6\n         OST                     53             2            38\n         PHMSA                  128             0           128\n         RITA                    59             0            59\n         SLSDC                    0             0             0\n         STB                     67             0            67\n                Total         4,286           939         2,493\n          Percentage                          22%          58%\n                Source: DOT\n\x0c                                                                                            15\n\n\n\n\n   x Weaknesses Overdue for Correction. We also found 986 information\n     security weaknesses whose corrective actions were either overdue or did\n     not have a scheduled completion date (see Table 4).\n\n\n     Table 4. IT Security Weaknesses Overdue for Mitigation\n\n\n                                 Total                    OVERDUE\n                            Overdue or\n                               Without                                                       No\n                 Total IT    Scheduled                       91-      121             Scheduled\n                Security    Completion   1-60    61-90      120     days-       >1   Completion\nOA           Weaknesses           Date   days     days     days    1 year    year          Date\nSTB                   67            67       0        0        0         0      52           15\nSLSDC                   0            0       0        0        0         0       0            0\nRITA                  59            59       0        0        1         6      18           34\nPHMSA                128           128       0       49        0        24      27           28\nOST                   53            36       0        1       14         3      17            1\nOIG                   15             9       0        0        0         8       1            0\nNHTSA                   7            6       0        0        0         0       4            2\nMARAD                337             5       1        1        1         0       0            2\nFTA                   17             0       0        0        0         0       0            0\nFRA                  257           181       2        0       30         0       6          143\nFMCSA                 28             9       0        3        0         0       6            0\nFAA                3,049           217       7        5        4         2       7          192\nFHWA                 269           269       0        0        2        31    226            10\n     Total         4,286           986      10       59       52        74    364           427\nPercentage                        23%    0.2%     1.4%     1.2%      1.7%    8.5%          10%\n\n       Source: DOT\n\nWithout a compliant POA&M process, the Department cannot ensure that its\nsystems are adequately secured and protected. Specifically, without cost\nestimates, proper risk categorizations, or milestones to resolve or mitigate all\nweaknesses, it is difficult or impossible for the Department to adequately prioritize\nand resolve open weaknesses. As a result, weaknesses of lesser urgency may get\nresolved before critical ones. In addition, allowing weaknesses to remain\nunaccounted for, unresolved, or unmitigated for extended periods of time allows\nfor unnecessary vulnerabilities and exposures that may be exploited by intruders,\nor may otherwise compromise the availability or integrity of essential systems and\ndata.\n\x0c                                                                                  16\n\n\nDOT Systems Were Not Sufficiently Protected or Adequately\nTested To Ensure Recovery\n\nThe Department was not sufficiently protecting its systems or ensuring that they\ncan be recovered when necessary. Last year we reported that 11 (52 percent) of 21\nsampled systems did not meet minimum security-protection requirements. For FY\n2008, there were no significant improvements.\n\n\nMandated Online Authentication Requirements Were Not Being Met\n\nThe Federal Government wants its citizens to be able to access Government\nservices quickly and easily through the Internet. To ensure that online\nGovernment services are secure and protect privacy, some type of identity\nverification or authentication (referred to as e-authentication) is needed. OMB M-\n04-04, E-Authentication Guidance for Federal Agencies, prescribes a process for\nagencies to use in determining what level of assurance is needed to verify the\nidentity of the requester. This process includes, but is not limited to, conducting a\nrisk assessment of the e-government system, validating that the implemented\nsystem has achieved the required assurance level, and periodically reassessing the\nsystem to determine technology-refresh requirements.\n\nOur review of the OCIO\'s inventory of e-authentication systems and supporting\ndocumentation for three sample systems managed by the Federal Motor Carrier\nSafety Administration (FMCSA) and the Federal Railroad Administration (FRA),\nincluding certification and accreditation packages, found the following:\n\n   x No e-authentication documentation was available to support the three\n     sampled DOT system classifications and categorized assurance levels.\n\n   x The risk assessments of the three systems did not contain any information\n     regarding e-authentication.\n\n   x The system security plans of the three systems did not address e-\n     authentication requirements.\n\n   x FMCSA and FRA officials were unaware whether any validation of the\n     three systems had occurred, and could not provide any documentation to\n     support validation.\n\nIn addition, the Department has not identified all systems requiring e-\nauthentication. For example, FAA\'s Medical Support System, which allows\nthousands of airmen to complete medical applications online through the Internet,\nwas not included in the inventory of systems that requires e-authentication.\n\x0c                                                                               17\n\n\n\nWithout supporting e-authentication documentation and a complete inventory of e-\nauthentication systems, the Department has no assurance that its IT systems\nrequiring e-authentication are adequately identified and protected. Further,\nwithout considering e-authentication requirements during the certification and\naccreditation process, changes to e-authentication levels or other matters may\noccur without an appropriate reassessment of each system\'s e-authentication\nrequirements.\n\nSystems Were Not Certified and Accredited in Accordance with NIST\nStandards\n\nNIST SP 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems, states that the security accreditation package\ndocuments the results of the security certification and provides the authorizing\nofficial with the essential information needed to make a credible, risk-based\ndecision on whether to authorize operation of the information system. It further\nstates that the security accreditation package should contain an approved system\nsecurity plan, a security assessment report, and a POA&M. Half (8) of our 16\nsampled systems did not meet these core requirements (see Table 5).\n\n               Table 5: Sampled Systems\xe2\x80\x99 C&A Results\n\n                                                 Systems\n                                                  Without\n                                                     Fully\n                                     Sampled    Compliant\n                       OA            Systems       C&As\n                       FAA                 11            5\n                       FHWA                 1            1\n                       FMCSA                1            1\n                       FRA                  1            0\n                       OST                  1            0\n                       RITA                 1            1\n                        Total              16            8\n                            Source: OIG\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information\nResources, requires that systems be reauthorized (i.e., accredited) at least once\nevery 3 years. However, 20 of FHWA\xe2\x80\x99s 26 systems had not been recertified, and\nwere operating without accreditation, including two high-impact systems whose\ncertifications and accreditations expired in November 2007. Without proper\ncertification and accreditation, the Department lacks a crucial management control\nthat ensures that systems are properly assessed for risk, have been independently\ntested, and have identified and sufficiently mitigated weaknesses. Consequently,\n\x0c                                                                               18\n\n\nmanagement cannot ensure that systems are operating without unacceptable risks\nor weaknesses.\n\nContingency Plans Were Not Being Tested\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information\nResources, requires agencies to establish and periodically test the capability to\ncontinue providing service within a system based upon the needs and priorities of\nthe participants of the system. NIST Special Publication 800-53, Revision 2,\nRecommended Security Controls for Federal Information Systems, further requires\nthat agencies test and update their system contingency plans at least annually. As\nshown in table 6, only 11 of 16 sampled systems had a contingency plan. In\naddition, only 9 of the 11 contingency plans had complied with testing\nrequirements.\n\n          Table 6: Sampled Systems\xe2\x80\x99 Contingency Status\n\n                                                       Systems With\n                                       Systems With          Tested\n                         Sampled        Contingency     Contingency\n                 OA      Systems              Plans           Plans\n            FAA                11                  7                 6a\n            FHWA                1                  1                  1\n            FMCSA               1                  1                  1\n            FRA                 1                  1                  1\n            OST                 1                  1                  0\n            RITA                1                  0                 --\n             Total             16                 11                  9\n             a\n              Includes a system for which testing was not yet due.\n             Source: OIG\n\nWithout adequate preparation and testing of system contingency plans, DOT\ncannot ensure that systems will operate properly or in a timely manner during an\nemergency or service disruption. Loss of DOT IT systems would limit DOT\nmanagement\'s ability to perform its missions, including its critical functions in\nserving the public.\n\x0c                                                                               19\n\n\nRECOMMENDATIONS\n\nIn order to reduce the vulnerabilities currently inherent in the Department\xe2\x80\x99s\ninformation security program, we recommend that the Chief Information Officer\ndo the following:\n\nInformation Security and Privacy Programs:\n\n   1. Provide information security performance metrics to be included in\n      Operating Administration CIOs\xe2\x80\x99 performance standards and subsequently\n      provide input on their performance in addressing these metrics;\n\n   2. Develop and issue comprehensive, compliant information-security policies\n      and procedures as required by FISMA, OMB, and NIST;\n\n   3. Complete review of its draft breach-notification policy, perform revisions\n      as necessary to conform to OMB requirements, and issue an official breach-\n      notification policy;\n\n   4. Review and finalize its plan to reduce Social Security numbers, and\n      implement the reduction of Social Security numbers in the time frame set\n      forth by OMB.\n\n   5. Issue a policy outlining the rules of behavior and identifying consequences\n      and corrective actions available for failure to protect privacy;\n\n   6. Establish a departmentwide internal FISMA cut-off date that allows\n      sufficient time for the Department to conduct meaningful internal review,\n      which includes evaluating the accuracy of the data it includes in its FISMA\n      report as well as time to resolve any potential disputes with the OIG;\n\n   7. Maintain an adequate audit trail of data supporting FISMA reports as of the\n      selected cut-off date;\n\n\nNetwork Security:\n\n   8. Assign a priority to finalizing the DOT configuration management policy;\n\n   9. Require Operating Administrations to periodically report status of baseline\n      configuration compliance and independently validate compliance status\n      reported by Operating Administrations;\n\x0c                                                                                 20\n\n\n   10. Implement NIST FDCC settings on the Windows XP workstations on the\n       DOT Common Operating Environment, require Operating Administrations\n       to implement FDCC settings on Operating Administrations\xe2\x80\x99 Windows XP\n       workstations, and document any required deviations from those settings;\n\n   11. Establish a timetable for Operating Administrations to work with CSMC to\n       deploy monitoring devices covering all DOT critical networks;\n\n   12. Enforce Operating Administrations\xe2\x80\x99 reporting of PII-related security\n       incidents to CSMC immediately upon discovery, as specified in DOT\n       policy;\n\n   13. Revise DOT policies to meet the OMB requirement for reporting PII\n       incidents;\n\n   14. Implement procedures for Operating Administrations to take timely\n       remedial action for identified incidents;\n\n   15. Direct CSMC and Operating Administrations to work together to collect\n       and share the information needed for cyber incident-response reporting,\n       such as IP- address assignment and critical logging data;\n\nSecurity Training:\n\n   16. Enforce the requirements for all employees and contractors to take security-\n       awareness training in order to gain and maintain access to Department\n       systems;\n\n   17. Establish a tracking system or other process that effectively and routinely\n       accounts for all active contractors requiring security training;\n\n   18. Establish a mechanism to identify and train employees and contractors\n       requiring specialized security training;\n\n   19. Include collaborative Web technologies in the Department\xe2\x80\x99s required\n       security-awareness training;\n\nManagement of Information Security Weaknesses:\n\n   20. Ensure that all weaknesses that are identified during reviews, including\n       certification and accreditation, and that require remediation, are tracked in\n       the Department\xe2\x80\x99s POA&M system;\n\n   21. Establish adequate policies for timeliness of remediation and enforce such\n       policies;\n\x0c                                                                                 21\n\n\n\n   22. Require that all identified weaknesses include a cost estimate and that these\n       estimates, along with the severity of the weakness, be used to prioritize\n       these weaknesses for correction;\n\nSystems Security:\n\n   23. Implement a process to ensure that all departmental systems that require\n       e-authentication are identified in the e-authentication system inventory and\n       that the necessary e-authentication supporting documentation is obtained or\n       developed for these systems;\n\n   24. Ensure that all systems that require e-authentication have certification and\n       accreditation packages that include support for e-authentication in the\n       appropriate sections of their system security plans and risk assessments;\n\n   25. Validate that e-authentication systems have operationally achieved the\n       required assurance level;\n\n   26. Require development and appropriate annual testing of system contingency\n       plans and ensure that tested contingency plans are updated based on the\n       results of the contingency plan tests performed; and\n\n   27. Enforce certification and accreditation requirements uniformly throughout\n       the Department.\n\n\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nA draft of this report was provided to the Department\xe2\x80\x99s CIO on September 30,\n2008. On October 7, 2008, we received the Department CIO\xe2\x80\x99s response, which\ncan be found in its entirety in the Appendix. The CIO concurred with our findings\nand recommendations and will provide, in 30 days, written comments describing\nthe specific actions and milestones that will be taken to implement the\nrecommendations.\n\x0c                                                                                 22\n\n\nACTIONS REQUIRED\n\nWe will review the Chief Information Officer\xe2\x80\x99s detailed action plans to determine\nwhether they satisfy the intent of our recommendations. All corrections are\nsubject to follow-up provisions in DOT Order 8000.1.C. We appreciate the\ncourtesies and cooperation of the CIO Office and the Operating Administrations\xe2\x80\x99\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1959; David Dobbs, Principal Assistant Inspector\nGeneral for Auditing and Evaluation, at (202) 366-0500; or Rebecca C. Leng,\nAssistant Inspector General for Financial and Information Technology Audits, at\n(202) 366-1407.\n\n\n                                         #\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    Acting Federal Aviation Administrator\n    CIO Council Members\n    Martin Gertel, M-1\n\x0c                   EXHIBIT A. OIG INPUT TO FISMA REPORT                                                                                                                                                                 23\n\n                                                                                           Section C - Inspector General: Questions 1 and 2\nAgency Name:                                                               Department of Transportation                                                                 Submission date:                   October 1, 2008\n                                                                                                  Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized).\nExtend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency.\nThe total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of\nlaw. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                               Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and\naccreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                                                              Question 1                                                            Question 2\n                                                                                                          a.                      b.                    c.                       a.                        b.                c.\n                                                                                                    Agency Systems            Contractor         Total Number of         Number of systems        Number of systems Number of systems\n                                                                                                                               Systems              Systems                certified and          for which security     for which\n                                                                                                                                                  (Agency and               accredited            controls have been contingency plans\n                                                                                                                                                   Contractor                                    tested and reviewed have been tested in\n                                                                                                                                                    systems)                                        in the past year  accordance with\n                                                                                                                                                                                                                           policy\n\n\n                                                                                                                                                             Total\n                                                                           FIPS 199 System                      Number          Number   Total                            Total       Percent of  Total    Percent of  Total      Percent of\nBureau Name                                                                                        Number               Number                              Number\n                                                                           Impact Level                        Reviewed        Reviewed Number                           Number         Total    Number      Total    Number        Total\n                                                                                                                                                           Reviewed\nFederal Aviation Administration                                            High                          18            3         0                    18            3             1        33%         2          67%         0          0%\n                                                                           Moderate                     157            6        12                   169            6             5        83%         5          83%         5         83%\n                                                                           Low                           72            2         3                    75            2             0         0%         2         100%         1         50%\n                                                                           Not Categorized                2            0         0                     2            0\n                                                                           Sub-total                    249           11        15           0       264           11             6        55%         9         82%          6         55%\nFederal Highway Administration                                             High                           6            1                               6            1             0         0%         0          0%          1        100%\n                                                                           Moderate                      13                      1                    14            0\n                                                                           Low                            6                                            6            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                      25           1         1           0        26            1             0         0%         0          0%          1        100%\nFederal Motor Carrier Safety Administration                                High                                                                        0            0\n                                                                           Moderate                       19           1         2                    21            1             0         0%         1         100%         1        100%\n                                                                           Low                             1                     1                     2            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                      20           1         3           0        23            1             0         0%         1         100%         1        100%\nFederal Railroad Administration                                            High                                                                        0            0\n                                                                           Moderate                       11                     3           1        14            1             1       100%         1         100%         1        100%\n                                                                           Low                             4                     3                     7            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                      15           0         6           1        21            1             1       100%         1         100%         1        100%\nFederal Transit Administration                                             High                                                                        0            0\n                                                                           Moderate                        4                                           4            0\n                                                                           Low                             1                                           1            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       5           0         0           0         5            0             0                    0                      0\nMaritime Administration                                                    High                            1                                           1            0\n                                                                           Moderate                        8                                           8            0\n                                                                           Low                             4                                           4            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                      13           0         0           0        13            0             0                    0                      0\nNational Highway Traffic Safety Administration                             High                                                                        0            0\n                                                                           Moderate                        6                     2                     8            0\n                                                                           Low                             2                     1                     3            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       8           0         3           0        11            0             0                    0                      0\nOffice of the Inspector General                                            High                                                                        0            0\n                                                                           Moderate                        2                                           2            0\n                                                                           Low                                                                         0            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       2           0         0           0         2            0             0                    0                      0\nOffice of the Secretary                                                    High                                                  3           1         3            1             1       100%         1         100%         0          0%\n                                                                           Moderate                       19                     7                    26            0\n                                                                           Low                             6                     8                    14            0\n                                                                           Not Categorized                 1                                           1            0\n                                                                           Sub-total                      26           0        18           1        44            1             1       100%         1         100%         0          0%\nPipeline and Hazardous Materials Safety Administration                     High                                                                        0            0\n                                                                           Moderate                                              2                     2            0\n                                                                           Low                             1                     1                     2            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       1           0         3           0         4            0             0                    0                      0\nResearch and Innovative Technology Administration                          High                            1           1                               1            1             0         0%         1         100%         0          0%\n                                                                           Moderate                        5                     3                     8            0\n                                                                           Low                                                                         0            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       6           1         3           0         9            1             0         0%         1         100%         0          0%\nSaint Lawrence Seaway Development Corporation                              High                                                                        0            0\n                                                                           Moderate                                                                    0            0\n                                                                           Low                             1                                           1            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                       1           0         0           0         1            0             0                    0                      0\nSurface Transportation Board                                               High                                                                        0            0\n                                                                           Moderate                        2                                           2            0\n                                                                           Low                                                                         0            0\n                                                                           Not Categorized                                                             0            0\n                                                                           Sub-total                      2            0         0           0         2            0             0                    0                      0\nAgency Totals                                                              High                          26            5         3           1        29            6             2        33%         4          67%         1         17%\n                                                                           Moderate                     246            7        32           1       278            8             6        75%         7          88%         7         88%\n                                                                           Low                           98            2        17           0       115            2             0         0%         2         100%         1         50%\n                                                                           Not Categorized                3            0         0           0         3            0             0                    0                      0\n                                                                           Total                        373           14        52           2       425           16             8        50%        13         81%          9         56%\n\n\n\n\n                   Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                      24\n\n\n\n                                                    Section C - Inspector General: Question 3\nAgency Name: Department of Transportation\nQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n                The agency performs oversight and evaluation to ensure information systems used or operated by a\n                contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA,\n                OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or\n                other organization on behalf of their agency; therefore, self reporting by contractors does not meet the\n                requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be\n                sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.                     Rarely (0-50% of the time)\n      3.a.\n                Response Categories:\n                 - Rarely- for example, approximately 0-50% of the time\n                 - Sometimes- for example, approximately 51-70% of the time\n                 - Frequently- for example, approximately 71-80% of the time\n                 - Mostly- for example, approximately 81-95% of the time\n                 - Almost Always- for example, approximately 96-100% of the time\n\n                The agency has developed a complete inventory of major information systems (including major national\n                security systems) operated by or under the control of such agency, including an identification of the\n                interfaces between each such system and all other systems or networks, including those not operated by\n                or under the control of the agency.\n\n                Response Categories:                                                                                             Inventory is 96-100% complete\n      3.b.\n                 - The inventory is approximately 0-50% complete\n                 - The inventory is approximately 51-70% complete\n                 - The inventory is approximately 71-80% complete\n                 - The inventory is approximately 81-95% complete\n                 - The inventory is approximately 96-100% complete\n\n      3.c.      The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                          Yes\n\n                The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                                      Yes\n                contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.      The agency inventory is maintained and updated at least annually. Yes or No.                                                    Yes\n\n                If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n                Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if known),\n                and indicate if the system is an agency or contractor system.\n                                                                                                    Exhibit 53 Unique Project\n                             Component/Bureau                           System Name                      Identifier (UPI)          Agency or Contractor system?\n                                                                                                       {must be 23-digits}\n\n\n\n\n      3.f.\n\n\n\n\n                Number of known systems missing from\n                inventory:\n\n\n\n\n    Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                               25\n\n\n\n                                                     Section C - Inspector General: Questions 4 and 5\nAgency Name:          Department of Transportation\n                                        Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the\ndegree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments\nin the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                    The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information\n        4.a.        systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the            Rarely (0-50% of the time)\n                    agency.\n                     When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system)\n        4.b.                                                                                                                                  Rarely (0-50% of the time)\n                     develop, implement, and manage POA&Ms for their system(s).\n\n                     Program officials and contractors report their progress on security weakness remediation to the CIO on a regular\n        4.c.                                                                                                                                  Rarely (0-50% of the time)\n                     basis (at least quarterly).\n\n        4.d.         Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                      Rarely (0-50% of the time)\n\n\n        4.e.         IG findings are incorporated into the POA&M process.                                                                     Rarely (0-50% of the time)\n\n                     POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed\n        4.f.                                                                                                                                  Rarely (0-50% of the time)\n                     in a timely manner and receive appropriate resources.\n\n POA&M process\n   comments:\n\n\n                                             Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and standards.\nProvide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for certification\nand accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information\nSystems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments and security\nplans.\n\n                     The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                     Response Categories:\n                      - Excellent\n        5.a.                                                                                                                                          Satisfactory\n                      - Good\n                      - Satisfactory\n                      - Poor\n                      - Failing\n\n                     The IG\'s quality rating included or considered the following aspects of the C&A Security plan                                         X\n                     process: (check all that apply)\n                                                                                                     System impact level                                   X\n                                                                                                     System test and evaluation                            X\n                                                                                                     Security control testing                              X\n        5.b.                                                                                         Incident handling                                     X\n                                                                                                     Security awareness training\n                                                                                                     Configurations/patching\n                                                                                                                                            Risk Assessment, Contigency\n                                                                                                            Other:\n                                                                                                                                            Plan and POAM\n\n\n   C&A process\n    comments:\n\n\n\n\n           Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                         26\n\n\n\n                                                Section C - Inspector General: Questions 6, 7, and 8\nAgency Name:    Department of Transportation\n                         Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n                Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in\n                Section D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and\n                standards.\n\n                Response Categories:\n                 - Response Categories:                                                                                                     Satisfactory\n       6\n                 - Excellent\n                 - Good\n                 - Satisfactory\n                 - Poor\n                 - Failing\n\n\n   Comments:\n\n\n\n                Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the provisions of M-07-16\n                Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n\n                Response Categories:\n                 - Response Categories:\n                                                                                                                                               Failing\n       7         - Excellent\n                 - Good\n                 - Satisfactory\n                 - Poor\n                 - Failing\n\n                 DOT Breach Policy is in Draft and still undergoing revision. This policy should had been issued by September 2007. DOT has not completed its\n   Comments:    review to determine which IT systems contain PII. Therefore, the Privacy Officer could not provide assurance that the unreviewed IT systems do not\n                contain PII. DOT has not implemented a plan to reduce social security numbers. DOT doe not have rules of behavior and consequences policy in\n                place.\n                                                           Question 8: Configuration Management\n\n      8.a.      Is there an agency-wide security configuration policy? Yes or No.                                                                No\nComments:       DOT does not have a security configuration policy in place. This policy is under development.\n\n\n                Approximate the extent to which applicable systems implement common security configurations, including\n      8.b.\n                use of common security configurations available from the National Institute of Standards and Technology\xe2\x80\x99s\n                website at http://checklists.nist.gov.                                                                               Rarely (0-50% of the time)\n\n                Response categories:\n\n                 -   Rarely- for example, approximately 0-50% of the time\n                 -   Sometimes- for example, approximately 51-70% of the time\n                 -   Frequently- for example, approximately 71-80% of the time\n                 -   Mostly- for example, approximately 81-95% of the time\n                 -   Almost Always- for example, approximately 96-100% of the time\n\n\n      8.c.      Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:\n\n\n                c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations.\n                                                                                                                                                 No\n                Yes or No.\n\n                c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of\n                                                                                                                                                 No\n                Information Technology", is included in all contracts related to common security settings. Yes or No.\n\n                c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or\n                                                                                                                                                 No\n                No.\n\n\n\n\n           Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                         27\n\n\n\n                                               Section C - Inspector General: Questions 9, 10 and 11\nAgency Name:        Department of Transportation\n                                                                 Question 9: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. If\nappropriate or necessary, include comments in the area provided below.\n                    The agency follows documented policies and procedures for identifying and reporting incidents internally.\n        9.a.                                                                                                                                       No\n                    Yes or No.\n                    The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No.\n        9.b.                                                                                                                                       Yes\n                    (http://www.us-cert.gov)\n\n        9.c.        The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.                             Yes\n\nComments:           We found that ten incidents involving PII were not reported within the 1-hour requirement; some were many days late. The CIO viewed these as a\n                    small subset of a much larger universe of security incidents. However, considering the importance of timely reporting of sensitive breaches\n                    concerning privacy information, we concluded that the Department did not follow documented policies and procedures for reporting incidents\n                    internally.\n                                                           Question 10: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those employees with\nsignificant IT security responsibilities?\n\nResponse Categories:\n - Rarely- or approximately 0-50% of employees                                                                                        Rarely (0-50% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                         Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security\n                                                                                                                                                   No\nawareness training, ethics training, or any other agency-wide training? Yes or No.\n\n                                                       Question 12: E-Authentication Risk Assessments\n12.a. Has the agency identified all e-authentication applications and validated that the applications have operationally achieved\nthe required assurance level in accordance with the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d?                       No\nYes or No.\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not            The three systems that OIG reviewed had not implemented e-\nimplemented the e-authentication guidance and indicate if the agency has a planned date of             authentication guidance.\nremediation.\n\n\n\n\n          Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                  28\n\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nwe perform an independent evaluation to determine the effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. FISMA further requires\nthat our evaluation include testing of a representative subset of systems and an\nassessment, based on our testing, of the Department\xe2\x80\x99s compliance with FISMA\nand applicable requirements. On July 14, 2008, the Office of Management and\nBudget (OMB) issued M-08-21, Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, which\nprovides instructions for inspectors general for completing their FISMA\nevaluations and the required OMB template.\n\nTo meet FISMA and OMB requirements, we selected a representative subset of 16\ndepartmental systems (see Table 7) and reviewed the compliance of these systems\nwith NIST and OMB requirements in the areas of risk categorization, security\nplans, annual control testing, contingency planning, certification and accreditation,\nincident handling, and plans of actions and milestones. We also conducted testing\nto assess the Department\xe2\x80\x99s inventory, its overall process of resolving information\nsecurity weaknesses, certain privacy requirements, configuration management,\nincident reporting, security-awareness training, and e-authentication. Our tests\nincluded analysis of data contained in the Department\xe2\x80\x99s Cyber Security\nAssessment and Management system, reviews of supporting documentation, and\ninterviews with departmental officials. We also used commercial scanning\nsoftware to assess network vulnerabilities and compliance with Federal Desktop\nCore Configuration requirements.\n\nFor FY 2008, we determined that work pertaining to Earned Value Management\n(EVM) would no longer be included within the scope of our FISMA audit and will\nbe included in a separate report. In addition, we determined that audit work and\nfindings developed specific to FAA\xe2\x80\x99s business continuity plans and to its testing of\noperational systems outside of the computer laboratory would be the subject of a\nseparate report. We did, however, include eleven FAA systems in our sample to\nensure adequate representation of FAA and considered FAA data as it related to\nour overall conclusions on DOT\xe2\x80\x99s information security program and practices.\n\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                              29\n\n\n      Table 7. OIG\xe2\x80\x99s Representative Subset of DOT Systems\n\n\n      Operating                                                  Contractor\n      Administration   System                                     System?\n                       Automated Surface Observing System\n                       Controller Equipment/Integrated Display\n      FAA              System (ACE-IDS)                             No\n                       Automated Weather Observation\n                       System Data Acquisition System\n      FAA              (ADAS)                                       No\n      FAA              CAPSTONE                                     No\n                       Automated Radar Terminal System IIIA\n      FAA              (ARTS IIIA)                                  No\n                       Cyber Security Assessment and\n      FAA              Management (CSAM)                            No\n      FAA              FALCON                                       No\n                       Human Resources -Grievance\n      FAA              Electronic Tracking System (GETS)            No\n                       Logical Access & Authorization Control\n      FAA              (LAACS)                                      No\n                       On-Line Aviation Safety Inspection\n                       System\xe2\x80\x93Office of Aviation Safety\n      FAA              (OASIS-AVS)                                  No\n      FAA              Parts Reporting System (PRS)                 No\n                       Weather Messaging Switching Center\n      FAA              Replacement Sustainment (WMSCR)              No\n      FHWA             FHWA Network/LAN/WAN                         No\n                       Hazardous Materials Package\n      FMCSA            Inspection Program (HMPIP)                   No\n                       Automated Track Inspection Program\n      FRA              (ATIP)                                      Yes\n                       Data Center Common Operating\n      OST              Environment (COE)                           Yes\n                       Intermodal Transportation Database\n      RITA             (ITDB)/TranStats                             No\n      Source: OIG\n\n\nAs required by OMB, we completed the FISMA template, which captured key\nsecurity metrics and qualitative assessments pertaining to DOT\xe2\x80\x99s information\nsecurity program and practices. We also reviewed the Department\xe2\x80\x99s progress in\nresolving weakness identified in our prior year\xe2\x80\x99s FISMA report and compared our\ncurrent FISMA template to the prior template. OMB requires that the FISMA\ntemplate include information from all DOT Operating Administrations, including\nOIG.\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                              30\n\n\nWe performed our information security review work throughout FY 2008,\nfocusing on OMB\xe2\x80\x99s FISMA template between June 2008 and September 2008.\nWe conducted our work at departmental and Operating Administration\nHeadquarters offices in the Washington, D. C., area. We conducted our audit in\naccordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nPrevious audit reports on the Department\xe2\x80\x99s information security program issued in\nresponse to the FISMA legislative mandate (formerly the Government Information\nSecurity Reform Act) include:\n\nDOT Information Security Program, FI-2008-001, October 10, 2007;\nDOT Information Security Program, FI-2007-002, October 23, 2006;\nDOT Information Security Program, FI-2006-002, October 7, 2005;\nDOT Information Security Program, FI-2005-001, October 1, 2004;\nDOT Information Security Program, FI-2003-086, September 25, 2003;\nDOT Information Security Program, FI-2002-115, September 27, 2002; and\nDOT Information Security Program, FI-2001-090, September 7, 2001.\n\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                        31\n\n\n\n\nEXHIBIT C. DEPARTMENTAL OPERATING ADMINISTRATIONS\nAND SYSTEM INVENTORY COUNTS\n\n\n      Operating Administration                      FY 2008   FY 2007\n      Federal Aviation Administration (FAA)            264       264\n      Federal Highway Administration (FHWA)             26        25\n      Federal Motor Carrier Safety Administration\n      (FMCSA)                                          23        23\n      Federal Railroad Administration (FRA)            21        20\n      Federal Transit Administration (FTA)              5         5\n      Maritime Administration (MARAD)                  13        11\n      National Highway Traffic Safety\n      Administration (NHTSA)                           11        18\n      Office of Inspector General (OIG)                 2         3\n      Office of the Secretary (OST)                    44        42\n      Pipeline and Hazardous Materials Safety\n      Administration (PHMSA)                            4         5\n      Research and Innovative Technology\n      Administration (RITA)                             9        10\n      Saint Lawrence Seaway Development\n      Corporation (SLSDC)                               1         1\n      Surface Transportation Board (STB)                2         2\n          Total Systems                               425       429\n\n           Source: OIG and DOT\n\n\n\n\nExhibit C. Departmental Operating Administrations and System\nInventory Counts\n\x0c                                                                                            32\n\n\n EXHIBIT D. COMPARISON OF FISMA RESULTS FROM FY 2007\n TO FY 2008\nTemplate       OMB-Required Metrics and/or Qualitative\nQuestion No.   Assessments                                                  FY 2007        FY 2008\n2a             Percentage of systems certified and accredited                     81%             50%\n2b             Percentage of systems tested annually                              43%             81%\n2c             Percentage with tested contingency plans                           19%             56%\n               Agency performs oversight and evaluation of contractor-\n3a             owned systems.                                                  Always            Rarely\n               Agency has developed a complete inventory of major\n3b             information systems.                                            Always         Always\n               IG generally agrees with CIO on number of agency-\n3c             owned information systems.                                          Yes             Yes\n               IG generally agrees with CIO on number of contractor-\n3d             owned information systems.                                          Yes             Yes\n3e             Inventory is maintained and updated annually.                       Yes             Yes\n               The POA&M is an agencywide process incorporating all\n4a             known IT security weaknesses.                               Sometimes             Rarely\n               When an IT security weakness is identified, program\n4b             officials develop, implement, and manage POA&Ms.            Sometimes             Rarely\n               Officials report their progress on security weakness\n4c             remediation to the CIO at least quarterly.                      Always            Rarely\n               Agency CIO centrally tracks, maintains, and reviews\n4d             POA&M activities at least quarterly.                             Always         Rarely\n4e             IG findings incorporated into POA&M process.                     Always         Rarely\n4f             POA&M process prioritizes IT security weaknesses.            Frequently         Rarely\n5a             Quality of the certification and accreditation process      Satisfactory   Satisfactory\n6              Quality of the Privacy Impact Assessment                           Good    Satisfactory\n               Quality of the agency\xe2\x80\x99s progress in implementing OMB\xe2\x80\x99s\n7              Breach-Notification Requirements.                                   N/A         Failing\n8a             Is there an agencywide security configuration policy?               Yes             No\n               Extent to which systems implement common security\n8b             configurations                                                   Rarely           Rarely\n8c1            Agency implemented FDCC standard configurations?                   N/A               No\n               New acquisition regulations are included in all contracts\n8c2            related to common security settings.                                N/A              No\n               All Windows XP and VISTA systems have implemented\n8c3            FDCC settings.                                                      N/A              No\n               Agency follows documented procedures for identifying\n9a             and reporting incidents internally.                                 Yes              No\n               Agency follows documented procedures for reporting\n9b             incidents to US-CERT.                                               Yes             Yes\n               Agency follows documented procedures for reporting\n9c             incidents to law enforcement.                                       Yes             Yes\n               Agency has ensured that security training is provided to\n10             employees and contractors.                                   Frequently           Rarely\n               Agency explains policies regarding collaborative Web\n11             technologies and peer-to-peer file sharing in training.             N/A              No\n               Agency identified and validated all e-authentication\n12             applications.                                                       N/A              No\n\n Source: OIG\n\n\n Exhibit D. Comparison of FISMA Results From FY 2007 to FY 2008\n\x0c                                                                            33\n\n\n EXHIBIT E. STATUS OF PRIOR YEAR\xe2\x80\x99S RECOMMENDATIONS\n\n\n  FY 2007 FISMA\n      Report\n Recommendation\n     Number       FY 2007 Recommendation                           Status\n                  Enhance the protection of information\n                  systems by working with the Acting\n                  FAA Administrator to establish target      To Be Addressed in\n        1\n                  dates for correcting air traffic control    a Separate Report\n                  systems\' risk categorization in\n                  accordance with departmental policy.\n                  Enhance the protection of information\n                  systems by working with the affected\n                  Operating Administrations to ensure         Addressed in a\n        2\n                  proper risk categorization and security     Separate Report\n                  protection of systems containing\n                  personally identifiable information.\n                  Enhance the protection of information\n                  systems by requiring Operating\n                                                               Replaced by\n                  Administration CIOs and system\n        3                                                       FY 2008\n                  owners to identify and implement\n                                                             Recommendation\n                  security upgrades needed to meet\n                                                                   #27\n                  minimum security standards by\n                  March 31, 2008.\n                  Enhance the protection of information\n                  systems by establishing a security test\n                  and evaluation process for all\n        4         departmental systems operating on the            Open\n                  common IT infrastructure after the\n                  security controls review is complete for\n                  the expanded infrastructure.\n                  Enhance correction of identified\n                  security deficiencies by working with\n                  Operating Administrators to develop\n                  measures of accountability that would\n                                                               Replaced by\n                  hold Operating Administration CIOs\n        5                                                        FY 2008\n                  and system owners responsible for\n                                                             Recommendations\n                  timely correction and decisions to\n                                                                #20, 21, 22\n                  support cancellations of identified\n                  security weaknesses, such as\n                  incorporating these measures as part\n                  of their performance standards.\n\n\n\n\nExhibit E. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                34\n\n\n\n  FY 2007 FISMA\n      Report\n Recommendation\n     Number        FY 2007 Recommendation                          Status\n                   Enhance network security configuration\n                   by working with Operating\n                   Administrations to establish an\n                   effective methodology to ensure that\n                                                                Replaced by\n                   commercial software products used in\n        6                                                         FY 2008\n                   departmental systems are configured in\n                                                              Recommendations\n                   accordance with security standards;\n                                                                  #8, 9, 10\n                   and by deploying an automated tool to\n                   systematically verify compliance with\n                   departmental baseline configuration\n                   standards.\n                   Enhance network security configuration\n                   by finalizing the secure remote access\n                   implementation and management\n                   policy; and continuing to explore\n                   alternatives to using employee home\n        7                                                          Open\n                   computers for telework, such as having\n                   a pool of Government-issued laptop\n                   computers that are properly configured\n                   and in compliance with departmental\n                   security standards to support telework.\n                   Ensure the consistency and timeliness\n                   of security-incident reporting by\n                                                                Replaced by\n                   directing the FAA CSIRC to establish\n        8                                                         FY 2008\n                   consistent procedures to ensure that all\n                                                              Recommendations\n                   security incidents are reported to the\n                                                                  #12, 13\n                   Department and US-CERT in a timely\n                   manner.\n                   Ensure the consistency and timeliness\n                   of security-incident reporting by\n        9          conducting periodic reviews of the              Open\n                   effectiveness of FAA\'s security-\n                   incident-reporting practice\n                   Ensure the consistency and timeliness\n                   of security-incident reporting by\n                   working with the FAA CIO to ensure\n       10          accurate security performance                   Open\n                   measurement reporting in the\n                   Performance and Accountability Report\n                   to OMB and the Congress.\n     Source: OIG\n\n\n\n\nExhibit E. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                    35\n\n\nEXHIBIT F. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                    Title\n\nRebecca C. Leng                         Assistant Inspector General for\n                                        Financial and Information\n                                        Technology Audits\nLouis C. King                           Program Director\nDr. Ping Z. Sun                         Program Director for IT Audit\n                                        Computer Laboratory\nJames Mallow                            Project Manager\nLissette Mercado                        Project Manager\nMichael P. Fruitman                     Communications Adviser\nVasily Gerasimov                        Information Technology\n                                        Specialist\nMartha Morrobel                         Information Technology\n                                        Specialist\nAnthony Cincotta                        Information Technology\n                                        Specialist\n\n\n\n\nExhibit F. Major Contributors to This Report\n\x0c                                                                                                     36\n\n           APPENDIX. MANAGEMENT COMMENTS\n\n\n\n           U.S. Department of\n           Transportation\n                                                                       Memorandum\n           Office of the Secretary\n           of Transportation\n\nSubject:    Response to OIG Input to FISMA Report (Exhibit A),                       Date:\n\n            for the Audit of the DOT Information Security Program,                            October 7, 2008\n            DOT\n                                                                             Reply to Attn.\n  From:                                                                                 of:\n\n            Dan Mintz\n            DOT Chief Information Officer\n    To:\n            Calvin L. Scovel, III\n            DOT Inspector General\n\n           The Department of Transportation (DOT) Chief Information Officer (CIO) reviewed the\n           Office Of Inspector General (OIG\xe2\x80\x99s) draft final FY 2008 Information Security Program\n           Audit Report and provided oral comments.\n\n           The CIO concurred with the report\xe2\x80\x99s findings and recommendations and will provide\n           written comments describing the specific actions and milestones that will be taken to\n           implement the recommendations, thirty (30) days after the signing date of the official FY\n           2008 FISMA Report.\n\n           Subsequent to its review, the CIO was pleased to note that actions are already being taken\n           in many areas to address the recommendations of the audit team, including:\n\n                x    The CIO allowed for an additional thirty (30) days of activity by the modes\n                     beyond the OIG audit cutoff of August 31, 2008. The additional inputs obtained\n                     during that period contribute to differences between the CIO\xe2\x80\x99s overall assessment\n                     of the Department and findings by the OIG (Exhibit D). As a consequence, the\n                     CIO will evaluate and establish a \xe2\x80\x9cFISMA year\xe2\x80\x9d to avoid these differences during\n                     subsequent FISMA evaluation cycles within the first quarter of FY2009.\n\n                x    In the area of incident response and reporting, the CIO is renewing the\n                     memorandum of agreement with the Federal Aviation Administration (FAA) for\n                     services provided to the Department by the Cyber Security Management Center\n                     (CSMC), expects to have the Secretarial Charter for the CSMC Board signed by\n                     the end of Q1 FY2009, and has assigned a resource to review and enhance\n                     reporting and metrics, and to provide oversight of modal plans to provide\n                     increased network visibility to the CSMC by the end of Q2 FY2009. In\n                     establishing the CSMC via Secretarial charter, it is instantiated as a Departmental\n                     entity with direct accountability to the Secretary, has durability in that it requires\n\n           Appendix. Management Comments\n\x0c                                                                                           37\n          Secretarial action to revoke the charter, and it serves to elevate situational\n          awareness and incident response to the attention of senior management.\n\n      x   As required by M-07-16, the DOT CIO and Senior Agency Official for Privacy\n          (SAOP) has established an agency response team for privacy, and the required\n          policy documents for Breach Notification, and Rules and Consequences are in\n          review prior to issuance in Q1 of FY2009. Evaluation of options to protect\n          privacy information on the Departmental network is planned to occur in Q1\n          FY2009, with a recommendation to the DOT CIO and DOT CIO Council to occur\n          early in Q2 FY2009.\n\n      x   To strengthen its configuration management policy and implementation across the\n          Department, the CIO has assigned a resource to provide oversight of the DOT\n          FDCC initiative, including an evaluation and rebaseline of the current plan by the\n          end of Q1 FY2009, and will issue updated policy, complete deployment of an\n          automated compliance solution already in progress, and begin regular monthly\n          and quarterly reporting and reviews of modal progress towards compliance by the\n          end of Q1 FY2009.\n\n      x   To strengthen its POAM management and quarterly compliance review process, a\n          resource has already been assigned to elevate the Department\xe2\x80\x99s verification and\n          validation processes for information assurance and privacy, with a goal of\n          improving the effectiveness of compliance reviews beginning the end of Q1\n          FY2009. As part of the process improvement, monthly reporting and the\n          quarterly compliance reviews will be revised to incorporate escalation of\n          unremediated POAM\xe2\x80\x99s or weaknesses to successively higher levels of DOT\n          management with the goal of driving towards successful remediation or explicit\n          acceptance of risk.\n\n      x   Lastly, as a measure to reinforce accountability of leadership for the information\n          assurance and privacy performance of their organizations, the CIO has already\n          begun efforts to incorporate appropriate performance elements into the\n          performance plans of modal CIO\xe2\x80\x99s, and the accountability agreements of modal\n          administrators. As part of that process, the CIO will solicit the input of OIG on\n          the proposed metrics. For FY2009 it is expected that this will occur as a pilot\n          effort, with a CIO objective of institutionalizing the performance elements\n          beginning with the FY2010 evaluation cycle.\n\nThe OCIO office appreciates the working relationship developed during this audit and\nlooks forward to the OIG\xe2\x80\x99s continued involvement during FY2009 with \xe2\x80\x9cGetting back to\nGreen\xe2\x80\x9d remediation efforts.\n\nIf you have any questions, please feel free to call me on 202-366-9201 or have a member\nof your staff call Andrew Orndorff on 202-366-7111.\n\n\ncc:       Rebecca Leng, JA-20\n          Martin Gertel, M-1\n\n\nAppendix. Management Comments\n\x0c                                                                             38\n\n\nThe following pages contain textual versions of the graphs and charts found in this\ndocument. These pages were not in the original document but have been added\nhere to accommodate assistive technology.\n\x0c                                                                                  39\n\n\n\n\n                         Information Security Program\n                      Section 508 Compliance Presentation\n\n\nTable 4. IT Security Weaknesses Overdue for Mitigation\n\nThe Surface Transportation Board (STB) has 67 total IT security weaknesses. Of\nthis total, all 67 are overdue or without a scheduled completion date. Specifically,\n52 are more than one year overdue and 15 have no completion date.\n\nThe Saint Lawrence Seaway Development Corporation (SLSDC) has no IT\nsecurity weaknesses.\n\nThe Research and Innovative Technology Administration (RITA) has 59 total IT\nsecurity weaknesses. Of this total, all 59 are overdue or without a scheduled\ncompletion date. Specifically, one is 91 to 120 days overdue; six are 121 days to\none year overdue; 18 are more than one year overdue and 34 have no completion\ndate.\n\nThe Pipeline and Hazardous Materials Safety Administration (PHMSA) has 128\ntotal IT security weaknesses. Of this total, all 128 are overdue or without a\nscheduled completion date. Specifically, 49 are 61 to 90 days overdue; 24 are 121\ndays to one year overdue; 27 are more than one year overdue and 28 have no\ncompletion date.\n\nThe Office of the Secretary of Transportation (OST) has 53 total IT security\nweaknesses. Of this total, 36 are overdue or without a scheduled completion date.\nSpecifically, one is 61 to 90 days overdue; 14 are 91to120 days overdue; three are\n121 days to one year overdue; 17 are more than one year overdue and one has no\ncompletion date.\n\nThe Office of the Inspector General (OIG) has 15 total IT security weaknesses. Of\nthis total, nine are overdue. Specifically, eight are 121 days to one year overdue\nand one is more than one year overdue.\n\nThe National Highway Traffic Safety Administration (NHTSA) has seven total IT\nsecurity weaknesses. Of this total, six are overdue or without a scheduled\ncompletion date. Specifically, four are more than one year overdue and two have\nno completion date.\n\nThe Maritime Administration (MARAD) has 337 total IT security weaknesses. Of\nthis total, five are overdue or without a scheduled completion date. Specifically,\n\x0c                                                                                  40\n\n\none is one to 60 days overdue; one is 61 to 90 days overdue; one is 91 to 120 days\noverdue and two have no completion date.\n\nThe Federal Transit Administration (FTA) has 17 total IT security weaknesses. Of\nthis total, none are overdue or without a scheduled completion date.\n\nThe Federal Rails Administration (FRA) has 257 total IT security weaknesses. Of\nthis total, 181 are overdue or without a scheduled completion date. Specifically,\ntwo are one to 60 days overdue; 30 are 91 to 120 days overdue; six are more than\none year overdue and 143 have no completion date.\n\nThe Federal Motor Carrier Safety Administration (FMCSA) has 28 total IT\nsecurity weaknesses. Of this total, 9 are overdue. Specifically, three are 61 to 90\ndays overdue and six are more than one year overdue.\n\nThe Federal Aviation Administration (FAA) has 3,049 total IT security\nweaknesses. Of this total, 217 are overdue or without a scheduled completion\ndate. Specifically, seven are one to 60 days overdue; five are 61 to 90 days\noverdue; four are 91 to 120 days overdue; two are 121 days to one year overdue;\nseven are more than one year overdue and 192 have no completion date.\n\nThe Federal Highway Administration (FHWA) has 269 total IT security\nweaknesses. Of this total, all 269 are overdue or without a scheduled completion\ndate. Specifically, two are 91 to 120 days overdue; 31 are 121 days to 1 year\noverdue; 226 are more than one year overdue and ten have no completion date.\n\nIn total, the Department has 4,286 IT security weaknesses. Of this total, 986, or\n23 percent, are overdue or without a scheduled completion date. Specifically, ten,\nor .2 percent, are one to 60 days overdue; 59, or 1.4 percent, are 61 to 90 days\noverdue; 52, or 1.2 percent, are 91 to 120 days overdue; 74, or 1.7 percent, are 121\ndays to one year overdue; 364, or 8.5 percent, are more than one year overdue and\n427, or ten percent, have no completion date.\n\x0c'